Server Administrator Access
Many of these same questions are found on the user interface requirements and application administrator pages but it is most important to consider the same questions for system administrators since they can access the entire system and may have access to multiple projects supported by that system.
How will administrators connect to the system?
What functions will administrators need to perform?
Will different roles be available to administrators so different groups will have different privileges?
How will the roles be defined, who will set them, and will the system prevent escalation of privileges?
What data will the administrators need to enter into the system?
What information will the administrators need to see?
How will the administrator be identified?
How will administrator accounts be created? Who authorizes account creation and the allowable privileges? Who creates the account?
How will administrator accounts be removed? If someone changes job roles are appropriate changes made? Who removes the accounts?
How are passwords reset? Is an administrator adequately identified when they request a password to be reset?
Is there an account management plan defining how accounts are created, deleted, suspended, or how passwords are reset? Does it define who authorized changes to accounts and how this is enforced?
When the administrator logs in is the account information that is sent to the server adequately encrypted or hashed?
How is administrator account information stored? Is it encrypted adequately?
What protocol is used to authenticate the administrator? (Windows Domain, Novell)
How are privileges controlled? By the operating system or other method?
Should account activities (logins, logoff, execution of privileges) be logged or monitored?
If administrator activities are logged, can accounts be deleted? Accounts may not be deleted but only suspended if administrator activities are logged.
Other Account Access
Access from the application to the database - What protocol is used? Are the login credentials encrypted?
Service account access - Used to exchange data between servers usually at specified times. - What protocol is used? Are the login credentials encrypted?